Fibre Channel (SAN)

Reply
Occasional Contributor
oscar.reina.ext
Posts: 14
Registered: ‎11-22-2010

DCX Firmware download Failed

Hi forum,

I have a new DCX 8510. i want to upgrade FABOS, but i have the following issue:

Firmware is being downloaded to standby CP. This step may take up to 30 minutes.

Firmware is being downloaded to Standby CP. Please wait...

Firmware download failed on standby CP - Failed to validate firmware signature. (0x3e)

Please use firmwaredownloadstatus and firmwareshow to see the firmware status.

i read and found the possible reason in the fips configuration:

DCX85:FID128:admin>fipscfg --verify fips

Standby firmware supports FIPS

Self Tests mode is not enabled.

Root account is enabled.

Radius check has passed

Authentication in VF 128 uses MD5 hash algorithm.

Authentication in VF 128 uses DH group 0.

Authentication check failed.

Inflight Encryption check has passed

IPSec check has passed

Telnet port number <23> for the policy <default_ipv4> is in permit state.

HTTP port number <80> for the policy <default_ipv4> is in permit state.

RPC port number <897> for the policy <default_ipv4> is in permit state.

Telnet port number <23> for the policy <default_ipv6> is in permit state.

HTTP port number <80> for the policy <default_ipv6> is in permit state.

RPC port number <897> for the policy <default_ipv6> is in permit state.

SNMP is not in read only mode.

Bootprom access is enabled.

Firmwaredownload signature verification is enabled.

Secure config upload/download is enabled.

SSH DSA Keys check passed

Inband Management interface is disabled.

Ipsecconfig is disabled.

WARNING !! IPSec feature for FCIP channels are not FIPS Certified.

It would be recommended to disable this feature for complete FIPS certified environment

How can i disable the signature verification? or how should i resolve this issue?

Thanks for your help!

Valued Contributor
felipon
Posts: 686
Registered: ‎06-11-2010

Re: DCX Firmware download Failed

Hi,

AFAIK firmwaredownload signature verification it is not enabled by default, so It would be a good practice to find out who/why it is enabled.

If you are not in a FIPS environment, to disable firmwaredownload signature verification, you just have to follow this simple procedure:

ED48K_132:admin> configure

Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.

Configure...

  Fabric parameters (yes, y, no, n):
  System services (yes, y, no, n):
  ssl attributes (yes, y, no, n):
  rpcd attributes (yes, y, no, n):
  cfgload attributes (yes, y, no, n): y

        Enforce secure config Upload/Download (yes, y, no, n):
        Enforce signature validation for firmware (yes, y, no, n): n

  webtools attributes (yes, y, no, n):

ED48K_132:admin>

In addition to this, I would confirm that the FOS copy you're using is not corrupt, just in case...

Kind regards

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.